dbinspect

Description

Returns information about the buckets in the specified index. If you are using Splunk Enterprise, this command helps you understand where your data resides so you can optimize disk usage as required.

The Splunk index is the repository for data ingested by Splunk software. As incoming data is indexed and transformed into events, Splunk software creates files of rawdata and metadata (index files). The files reside in sets of directories organized by age. These directories are called buckets.

Syntax

Required arguments

Optional arguments

Description: Specifies the name of an index to inspect. You can specify more than one index. For all non-internal indexes, you can specify an asterisk ( * ) in the index name.

Default: The default index, which is typically main.

<span>

Syntax: span=<int> | span=<int><timescale>

Description: Specifies the span length of the bucket. If using a timescale unit (second, minute, hour, day, month, or subseconds), this is used as a time range. If not, this is an absolute bucket "length".

Description: Specifies that each bucket is checked to determine if any buckets are corrupted and displays only the corrupted buckets. A bucket is corrupt when some of the files in the bucket are incorrect or missing such as Hosts.data or tsidx. Corrupt bucket might return incorrect data or render the bucket unsearchable. In most cases the software will auto-repair corrupt buckets.

When corruptonly=true, each bucket is checked and the following informational message appears.

INFO: The "corruptonly" option will check each of the specified buckets. This search might be slow and will take time.

The volume in bytes of the raw data files in each bucket. This value represents the volume before compression and the addition of index files.

sizeOnDiskMB

The size in MB of disk space that the bucket takes up expressed as a floating point number. This value represents the volume of the compressed raw data files and the index files.

sourceCount

The number of unique sources in the bucket.

sourceTypeCount

The number of unique sourcetypes in the bucket.

splunk_server

The name of the Splunk server that hosts the index in a distributed environment.

startEpoch

The timestamp for the first event in the bucket (the time-edge of the bucket furthest towards the past), in number of seconds from the UNIX epoch.

state

Whether the bucket is warm, hot, cold.

corruptReason

Specifies the reason why the bucket is corrupt. The corruptReason field appears only when corruptonly=true.

Usage

The dbinspect command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

Accessing data and security

If no data is returned from the index that you specify with the dbinspect command, it is possible that you do not have the authorization to access that index. The ability to access data in the Splunk indexes is controlled by the authorizations given to each role. See Use access control to secure Splunk data in Securing Splunk Enterprise.

Examples

1. CLI use of the dbinspect command

Display a chart with the span size of 1 day, using the command line interface (CLI).

2. Default dbinspect output

This screen shot does not display all of the columns in the output table. On your computer, scroll to the right to see the other columns.

3. Check for corrupt buckets

Use the corruptonly argument to display information about corrupted buckets, instead of information about all buckets. The output fields that display are the same with or without the corruptonly argument.

| dbinspect index=_internal corruptonly=true

4. Count the number of buckets for each Splunk server

Use this command to verify that the Splunk servers in your distributed environment are included in the dbinspect command. Counts the number of buckets for each server.

| dbinspect index=_internal | stats count by splunk_server

5. Find the index size of buckets in GB

Use dbinspect to find the index size of buckets in GB. For current numbers, run this search over a recent time range.

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »